These industrial control systems (ICS) face different security challenges compared to general-purpose computing environments. In the past, ICS systems were generally isolated—they could rely on their lack of Internet connectivity to protect them from most security threats. However, now companies want to take advantage of the benefits of connectivity to do things more quickly, more cheaply, and to perform real-time analysis to make their processes more effective and efficient. With those benefits comes new vulnerability to a broad range of potential attackers.

This project—led by principal investigators Ravi Iyer of TCIPG and co-associate director at ADSC, Adam Slagell of NCSA, Robin Sommer of ICSI—will develop new approaches to monitoring network traffic in order to detect sophisticated semantic attacks, which can drive an ICS process into an unsafe state without exhibiting any obvious protocol-level red flags. For example, Iyer and Slagell, working with researchers Zbigniew Kalbarczyk and Hui Lin, recently demonstrated that a few small changes can destabilize a power grid and cause outages without setting off traditional intrusion detection engines because each command by itself is valid and appropriate. “Detecting this type of attack requires semantic understanding of the greater network to understand the true impact of these innocuous looking commands,” says Iyer.

“Other intrusion detection systems are signature based—you have to know about an attack to detect it. But almost every attack in the power grid community is zero day, meaning it hasn’t been seen before,” explains Slagell, senior research scientist and chief information security officer at NCSA.

The first thrust of the project is to study ICS network activity in order to develop a deep understanding of operational semantics in terms of actors, workloads, dependencies, and state changes over time.

Next the project will develop domain-specific behavior models that abstract from low-level protocol activity to their semantic meaning according to the current state of the processes under control. The goal is to integrate these models into operationally viable, real-time network monitoring that reports unexpected deviations as indicators of attacks or malfunction.

In the project’s “transition to practice” phase, the results of the research will be translated into deployment-ready technology by integrating it into Bro, a widely deployed open-source network monitoring platform maintained by ICSI and NCSA with support from the National Science Foundation. Bro’s users today include major universities, research labs, supercomputing centers, open-science communities, government institutions, and Fortune10 companies. See www.bro.org for more information.